[
https://issues.apache.org/jira/browse/LOG4J2-3293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17466262#comment-17466262
]
Gary D. Gregory commented on LOG4J2-3293:
-----------------------------------------
You should contact your vendors for certain, they would only know what is safe
to do and not to do with their particular product. You'll have to assume the
risk for anything you do yourself to their software, unfortunately. It might be
safe to replace this jar with that jar but there is no way to tell what the
consequences are from the outside looking in.
> JDBC Appender should use JNDI Manager and JNDI access should be limited.
> ------------------------------------------------------------------------
>
> Key: LOG4J2-3293
> URL: https://issues.apache.org/jira/browse/LOG4J2-3293
> Project: Log4j 2
> Issue Type: Bug
> Components: Appenders
> Affects Versions: 2.17.0
> Reporter: Ralph Goers
> Assignee: Gary D. Gregory
> Priority: Major
> Fix For: 2.17.1
>
>
> JDBC Appender should use JndiManager when accessing JNDI. JNDI access should
> be controlled via a system property.
> Related to
> [CVE-2021-44832|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832]
> where an attacker with permission to modify the logging configuration file
> can construct a malicious configuration using a JDBC Appender with a data
> source referencing a JNDI URI which can execute remote code.
> Fixed in
> [https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16]
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
